[....] Starting enhanced syslogd: rsyslogd[ 12.700190] audit: type=1400 audit(1514746272.986:5): avc: denied { syslog } for pid=3350 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.586325] audit: type=1400 audit(1514746277.872:6): avc: denied { map } for pid=3490 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. executing program [ 29.010336] audit: type=1400 audit(1514746289.296:7): avc: denied { map } for pid=3505 comm="syzkaller961553" path="/root/syzkaller961553860" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.018679] device syz0 entered promiscuous mode [ 29.046404] ================================================================== [ 29.053842] BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x27c8/0x2920 [ 29.061016] Read of size 2 at addr ffff8801beceb1e0 by task syzkaller961553/3505 [ 29.068529] [ 29.070135] CPU: 1 PID: 3505 Comm: syzkaller961553 Not tainted 4.15.0-rc5+ #154 [ 29.077553] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.086890] Call Trace: [ 29.089461] dump_stack+0x194/0x257 [ 29.093083] ? arch_local_irq_restore+0x53/0x53 [ 29.097739] ? show_regs_print_info+0x18/0x18 [ 29.102218] ? lock_release+0xa40/0xa40 [ 29.106166] ? memset+0x31/0x40 [ 29.109422] ? __dev_queue_xmit+0x27c8/0x2920 [ 29.113899] print_address_description+0x73/0x250 [ 29.118733] ? __dev_queue_xmit+0x27c8/0x2920 [ 29.123212] kasan_report+0x25b/0x340 [ 29.126991] __asan_report_load2_noabort+0x14/0x20 [ 29.131898] __dev_queue_xmit+0x27c8/0x2920 [ 29.136209] ? netdev_pick_tx+0x300/0x300 [ 29.140340] ? find_held_lock+0x35/0x1d0 [ 29.144380] ? __might_fault+0x110/0x1d0 [ 29.148412] ? lock_downgrade+0x980/0x980 [ 29.152529] ? lock_release+0xa40/0xa40 [ 29.156472] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 29.162323] ? refcount_add+0x24/0x60 [ 29.166096] ? skb_set_owner_w+0x232/0x330 [ 29.170304] ? __might_sleep+0x95/0x190 [ 29.174255] ? kasan_check_write+0x14/0x20 [ 29.178458] ? copyin+0x91/0xb0 [ 29.181710] ? _copy_from_iter+0x367/0xf30 [ 29.185915] ? __check_object_size+0x25d/0x4f0 [ 29.190474] ? check_stack_object+0x140/0x140 [ 29.194943] ? copy_page_to_iter+0xe10/0xe10 [ 29.199320] ? _copy_from_iter_full+0x22b/0xbb0 [ 29.203967] ? skb_copy_datagram_from_iter+0x3b1/0x5c0 [ 29.209213] ? iov_iter_advance+0x13f0/0x13f0 [ 29.213700] ? mem_cgroup_update_lru_size+0xe0/0xe0 [ 29.218690] dev_queue_xmit+0x17/0x20 [ 29.222456] ? dev_queue_xmit+0x17/0x20 [ 29.226399] packet_sendmsg+0x3aed/0x60b0 [ 29.230520] ? find_held_lock+0x35/0x1d0 [ 29.234566] ? avc_has_perm+0x35e/0x680 [ 29.238523] ? trace_event_raw_event_mm_lru_activate+0x98/0x220 [ 29.244558] ? packet_cached_dev_get+0x2b0/0x2b0 [ 29.249286] ? avc_has_perm+0x43e/0x680 [ 29.253232] ? avc_has_perm_noaudit+0x520/0x520 [ 29.257879] ? check_noncircular+0x20/0x20 [ 29.262081] ? lru_cache_add+0x1c7/0x3a0 [ 29.266114] ? get_mem_cgroup_from_mm+0x710/0x710 [ 29.270928] ? lru_cache_add_file+0x20/0x20 [ 29.275223] ? find_held_lock+0x35/0x1d0 [ 29.279257] ? avc_has_perm+0x35e/0x680 [ 29.283202] ? sock_has_perm+0x2a4/0x420 [ 29.287233] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 29.292564] ? __handle_mm_fault+0x26a2/0x3ce0 [ 29.297131] ? selinux_socket_sendmsg+0x36/0x40 [ 29.301777] ? security_socket_sendmsg+0x89/0xb0 [ 29.306516] ? packet_cached_dev_get+0x2b0/0x2b0 [ 29.311251] sock_sendmsg+0xca/0x110 [ 29.314943] sock_write_iter+0x31a/0x5d0 [ 29.318973] ? sock_sendmsg+0x110/0x110 [ 29.322926] ? iov_iter_init+0xaf/0x1d0 [ 29.326875] __vfs_write+0x684/0x970 [ 29.330558] ? kernel_read+0x120/0x120 [ 29.334411] ? bpf_fd_pass+0x280/0x280 [ 29.338271] ? _cond_resched+0x14/0x30 [ 29.342130] ? selinux_file_permission+0x82/0x460 [ 29.346947] ? rw_verify_area+0xe5/0x2b0 [ 29.350973] ? __fdget_raw+0x20/0x20 [ 29.354657] vfs_write+0x189/0x510 [ 29.358188] SyS_write+0xef/0x220 [ 29.361612] ? __do_page_fault+0x3d6/0xc90 [ 29.365820] ? SyS_read+0x220/0x220 [ 29.369423] ? do_fast_syscall_32+0x156/0xf9d [ 29.373892] ? SyS_read+0x220/0x220 [ 29.377489] do_fast_syscall_32+0x3ee/0xf9d [ 29.381786] ? do_int80_syscall_32+0x9d0/0x9d0 [ 29.386335] ? kasan_check_read+0x11/0x20 [ 29.390453] ? syscall_return_slowpath+0x550/0x550 [ 29.395351] ? SyS_rt_sigaction+0x94/0x1b0 [ 29.399553] ? SyS_sigprocmask+0x4b0/0x4b0 [ 29.403751] ? SyS_read+0x184/0x220 [ 29.407346] ? retint_user+0x18/0x18 [ 29.411042] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.415867] entry_SYSENTER_compat+0x54/0x63 [ 29.420242] RIP: 0023:0xf7f7cc79 [ 29.423569] RSP: 002b:00000000ffd5fc9c EFLAGS: 00000297 ORIG_RAX: 0000000000000004 [ 29.431244] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020fecf2b [ 29.438482] RDX: 00000000000000ce RSI: 00000000080ef00c RDI: 000000000000003f [ 29.445718] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000 [ 29.452957] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 29.460198] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.467453] [ 29.469048] Allocated by task 3505: [ 29.472653] save_stack+0x43/0xd0 [ 29.476078] kasan_kmalloc+0xad/0xe0 [ 29.479762] __kmalloc_node_track_caller+0x47/0x70 [ 29.484658] __kmalloc_reserve.isra.39+0x41/0xd0 [ 29.489379] __alloc_skb+0x13b/0x780 [ 29.493059] alloc_skb_with_frags+0x10d/0x750 [ 29.497523] sock_alloc_send_pskb+0x787/0x9b0 [ 29.501990] packet_sendmsg+0x1ece/0x60b0 [ 29.506108] sock_sendmsg+0xca/0x110 [ 29.509787] sock_write_iter+0x31a/0x5d0 [ 29.513825] __vfs_write+0x684/0x970 [ 29.517509] vfs_write+0x189/0x510 [ 29.521015] SyS_write+0xef/0x220 [ 29.524439] do_fast_syscall_32+0x3ee/0xf9d [ 29.528728] entry_SYSENTER_compat+0x54/0x63 [ 29.533097] [ 29.534690] Freed by task 0: [ 29.537669] (stack is not available) [ 29.541343] [ 29.542941] The buggy address belongs to the object at ffff8801becead80 [ 29.542941] which belongs to the cache kmalloc-1024 of size 1024 [ 29.555743] The buggy address is located 96 bytes to the right of [ 29.555743] 1024-byte region [ffff8801becead80, ffff8801beceb180) [ 29.568105] The buggy address belongs to the page: [ 29.573003] page:00000000be4d1309 count:1 mapcount:0 mapping:00000000c412f3fd index:0x0 compound_mapcount: 0 [ 29.582941] flags: 0x2fffc0000008100(slab|head) [ 29.587579] raw: 02fffc0000008100 ffff8801becea000 0000000000000000 0000000100000007 [ 29.595423] raw: ffffea0006fd3aa0 ffff8801dac01848 ffff8801dac00ac0 0000000000000000 [ 29.603273] page dumped because: kasan: bad access detected [ 29.608950] [ 29.610557] Memory state around the buggy address: [ 29.615451] ffff8801beceb080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.622781] ffff8801beceb100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.630113] >ffff8801beceb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.637438] ^ [ 29.643902] ffff8801beceb200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.651226] ffff8801beceb280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.658551] ================================================================== [ 29.665874] Disabling lock debugging due to kernel taint [ 29.671344] Kernel panic - not syncing: panic_on_warn set ... [ 29.671344] [ 29.678693] CPU: 1 PID: 3505 Comm: syzkaller961553 Tainted: G B 4.15.0-rc5+ #154 [ 29.687436] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.696763] Call Trace: [ 29.699325] dump_stack+0x194/0x257 [ 29.702922] ? arch_local_irq_restore+0x53/0x53 [ 29.707562] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.712286] ? vsnprintf+0x1ed/0x1900 [ 29.716055] ? __dev_queue_xmit+0x2730/0x2920 [ 29.720533] panic+0x1e4/0x41c [ 29.723695] ? refcount_error_report+0x214/0x214 [ 29.728418] ? add_taint+0x1c/0x50 [ 29.731922] ? add_taint+0x1c/0x50 [ 29.735432] ? __dev_queue_xmit+0x27c8/0x2920 [ 29.739895] kasan_end_report+0x50/0x50 [ 29.743842] kasan_report+0x144/0x340 [ 29.747619] __asan_report_load2_noabort+0x14/0x20 [ 29.752523] __dev_queue_xmit+0x27c8/0x2920 [ 29.756816] ? netdev_pick_tx+0x300/0x300 [ 29.760935] ? find_held_lock+0x35/0x1d0 [ 29.764967] ? __might_fault+0x110/0x1d0 [ 29.768995] ? lock_downgrade+0x980/0x980 [ 29.773122] ? lock_release+0xa40/0xa40 [ 29.777064] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 29.782922] ? refcount_add+0x24/0x60 [ 29.786703] ? skb_set_owner_w+0x232/0x330 [ 29.790906] ? __might_sleep+0x95/0x190 [ 29.794846] ? kasan_check_write+0x14/0x20 [ 29.799044] ? copyin+0x91/0xb0 [ 29.802290] ? _copy_from_iter+0x367/0xf30 [ 29.806494] ? __check_object_size+0x25d/0x4f0 [ 29.811045] ? check_stack_object+0x140/0x140 [ 29.815514] ? copy_page_to_iter+0xe10/0xe10 [ 29.819889] ? _copy_from_iter_full+0x22b/0xbb0 [ 29.824536] ? skb_copy_datagram_from_iter+0x3b1/0x5c0 [ 29.829794] ? iov_iter_advance+0x13f0/0x13f0 [ 29.834276] ? mem_cgroup_update_lru_size+0xe0/0xe0 [ 29.839282] dev_queue_xmit+0x17/0x20 [ 29.843052] ? dev_queue_xmit+0x17/0x20 [ 29.846995] packet_sendmsg+0x3aed/0x60b0 [ 29.851125] ? find_held_lock+0x35/0x1d0 [ 29.855162] ? avc_has_perm+0x35e/0x680 [ 29.859110] ? trace_event_raw_event_mm_lru_activate+0x98/0x220 [ 29.865137] ? packet_cached_dev_get+0x2b0/0x2b0 [ 29.870426] ? avc_has_perm+0x43e/0x680 [ 29.874368] ? avc_has_perm_noaudit+0x520/0x520 [ 29.879010] ? check_noncircular+0x20/0x20 [ 29.883218] ? lru_cache_add+0x1c7/0x3a0 [ 29.887246] ? get_mem_cgroup_from_mm+0x710/0x710 [ 29.892058] ? lru_cache_add_file+0x20/0x20 [ 29.896348] ? find_held_lock+0x35/0x1d0 [ 29.900382] ? avc_has_perm+0x35e/0x680 [ 29.904325] ? sock_has_perm+0x2a4/0x420 [ 29.908355] ? selinux_secmark_relabel_packet+0xc0/0xc0 [ 29.913691] ? __handle_mm_fault+0x26a2/0x3ce0 [ 29.918246] ? selinux_socket_sendmsg+0x36/0x40 [ 29.922888] ? security_socket_sendmsg+0x89/0xb0 [ 29.927620] ? packet_cached_dev_get+0x2b0/0x2b0 [ 29.932343] sock_sendmsg+0xca/0x110 [ 29.936033] sock_write_iter+0x31a/0x5d0 [ 29.940060] ? sock_sendmsg+0x110/0x110 [ 29.944009] ? iov_iter_init+0xaf/0x1d0 [ 29.947952] __vfs_write+0x684/0x970 [ 29.951634] ? kernel_read+0x120/0x120 [ 29.955495] ? bpf_fd_pass+0x280/0x280 [ 29.959361] ? _cond_resched+0x14/0x30 [ 29.963241] ? selinux_file_permission+0x82/0x460 [ 29.968069] ? rw_verify_area+0xe5/0x2b0 [ 29.972111] ? __fdget_raw+0x20/0x20 [ 29.975812] vfs_write+0x189/0x510 [ 29.979333] SyS_write+0xef/0x220 [ 29.982769] ? __do_page_fault+0x3d6/0xc90 [ 29.986994] ? SyS_read+0x220/0x220 [ 29.990617] ? do_fast_syscall_32+0x156/0xf9d [ 29.995099] ? SyS_read+0x220/0x220 [ 29.998706] do_fast_syscall_32+0x3ee/0xf9d [ 30.002996] ? do_int80_syscall_32+0x9d0/0x9d0 [ 30.007544] ? kasan_check_read+0x11/0x20 [ 30.011657] ? syscall_return_slowpath+0x550/0x550 [ 30.016556] ? SyS_rt_sigaction+0x94/0x1b0 [ 30.020756] ? SyS_sigprocmask+0x4b0/0x4b0 [ 30.024955] ? SyS_read+0x184/0x220 [ 30.028550] ? retint_user+0x18/0x18 [ 30.032231] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.037039] entry_SYSENTER_compat+0x54/0x63 [ 30.041411] RIP: 0023:0xf7f7cc79 [ 30.044741] RSP: 002b:00000000ffd5fc9c EFLAGS: 00000297 ORIG_RAX: 0000000000000004 [ 30.052429] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020fecf2b [ 30.059668] RDX: 00000000000000ce RSI: 00000000080ef00c RDI: 000000000000003f [ 30.066902] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000 [ 30.074135] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.081368] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.088653] Dumping ftrace buffer: [ 30.092173] (ftrace buffer empty) [ 30.095851] Kernel Offset: disabled [ 30.099444] Rebooting in 86400 seconds..